linux/kernel/audit.c, branch v2.6.28

[PATCH] fix broken timestamps in AVC generated by kernel threads

2008-12-09T07:27:41Z

Timestamp in audit_context is valid only if ->in_syscall is set. Signed-off-by: Al Viro

[PATCH] Audit: make audit=0 actually turn off audit

2008-12-09T07:27:37Z

Currently audit=0 on the kernel command line does absolutely nothing. Audit always loads and always uses its resources such as creating the kernel netlink socket. This patch causes audit=0 to actually disable audit. Audit will use no resources and starting the userspace auditd daemon will not cause the kernel audit system to activate. Signed-off-by: Eric Paris Signed-off-by: Al Viro

[PATCH] Fix the bug of using AUDIT_STATUS_RATE_LIMIT when set fail, no error output.

2008-08-01T16:15:16Z

When the "status_get->mask" is "AUDIT_STATUS_RATE_LIMIT || AUDIT_STATUS_BACKLOG_LIMIT". If "audit_set_rate_limit" fails and "audit_set_backlog_limit" succeeds, the "err" value will be greater than or equal to 0. It will miss the failure of rate set. Signed-off-by: Zhang Xiliang Acked-by: Eric Paris Signed-off-by: Al Viro

kernel/audit.c control character detection is off-by-one

2008-08-01T16:05:35Z

Hello, According to my understanding there is an off-by-one bug in the function: audit_string_contains_control() in: kernel/audit.c Patch is included. I do not know from how many places the function is called from, but for example, SELinux Access Vector Cache tries to log untrusted filenames via call path: avc_audit() audit_log_untrustedstring() audit_log_n_untrustedstring() audit_string_contains_control() If audit_string_contains_control() detects control characters, then the string is hex-encoded. But the hex=0x7f dec=127, DEL-character, is not detected. I guess this could have at least some minor security implications, since a user can create a filename with 0x7f in it, causing logged filename to possibly look different when someone reads it on the terminal. Signed-off-by: Vesa-Matti Kari Signed-off-by: Al Viro

[PATCH] remove useless argument type in audit_filter_user()

2008-06-25T03:36:35Z

The second argument "type" is not used in audit_filter_user(), so I think that type can be removed. If I'm wrong, please tell me. Signed-off-by: Peng Haitao Signed-off-by: Al Viro

[PATCH] kernel/audit.c: nlh->nlmsg_type is gotten more than once

2008-06-25T03:36:21Z

The first argument "nlh->nlmsg_type" of audit_receive_filter() should be modified to "msg_type" in audit_receive_msg(). Signed-off-by: Peng Haitao Signed-off-by: Al Viro

[patch 1/1] audit_send_reply(): fix error-path memory leak

2008-05-17T07:30:22Z

Addresses http://bugzilla.kernel.org/show_bug.cgi?id=10663 Reporter: Daniel Marjamki Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Al Viro

[patch 2/2] Use find_task_by_vpid in audit code

2008-04-28T10:28:30Z

The pid to lookup a task by is passed inside audit code via netlink message. Thanks to Denis Lunev, netlink packets are now (since 2.6.24) _always_ processed in the context of the sending task. So this is correct to lookup the task with find_task_by_vpid() here. Signed-off-by: Pavel Emelyanov Cc: "Eric W. Biederman" Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Al Viro

[PATCH 2/2] audit: fix sparse shadowed variable warnings

2008-04-28T10:28:17Z

Use msglen as the identifier. kernel/audit.c:724:10: warning: symbol 'len' shadows an earlier one kernel/audit.c:575:8: originally declared here Don't use ino_f to check the inode field at the end of the functions. kernel/auditfilter.c:429:22: warning: symbol 'f' shadows an earlier one kernel/auditfilter.c:420:21: originally declared here kernel/auditfilter.c:542:22: warning: symbol 'f' shadows an earlier one kernel/auditfilter.c:529:21: originally declared here i always used as a counter for a for loop and initialized to zero before use. Eliminate the inner i variables. kernel/auditsc.c:1295:8: warning: symbol 'i' shadows an earlier one kernel/auditsc.c:1152:6: originally declared here kernel/auditsc.c:1320:7: warning: symbol 'i' shadows an earlier one kernel/auditsc.c:1152:6: originally declared here Signed-off-by: Harvey Harrison Signed-off-by: Al Viro

Audit: standardize string audit interfaces

2008-04-28T10:19:22Z

This patch standardized the string auditing interfaces. No userspace changes will be visible and this is all just cleanup and consistancy work. We have the following string audit interfaces to use: void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len); void audit_log_n_string(struct audit_buffer *ab, const char *buf, size_t n); void audit_log_string(struct audit_buffer *ab, const char *buf); void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, size_t n); void audit_log_untrustedstring(struct audit_buffer *ab, const char *string); This may be the first step to possibly fixing some of the issues that people have with the string output from the kernel audit system. But we still don't have an agreed upon solution to that problem. Signed-off-by: Eric Paris Signed-off-by: Al Viro